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(57) Abstract: A method for adding a conditional ac- 
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device associated with an audio/video processing de- 
vice by providing at the broadcast source a datastream 
having system information data including an unused 
identifier reserved for security data associated with the 
additional conditional access system. 
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METHOD AND SYSTEM FOR ADDING A CONDITIONAL ACCESS SYSTEM 

Field of the Invention 

The present invention relates generally to digital audio/video transmission systems, 

and more particularly to a method which allows the addition of a conditional access system in 

a digital audio/video transmission system without downstream modification of system 

information tables in MPEG data. 

Background of the Invention 

ISO/EEC 13818-1 (Information Technology-Generic Coding of moving 
pictures and associated audio information systems) is an international standard that specifies 
the coding of one or more elementary streams of audio and video as well as other data into 
single or multiple streams suitable for storage and transmission. A transport stream (TS) 
combines one or more programs with one or more independent time bases into a single 
stream. TS packets are 188 bytes in length. Each TS packet has a 4-byte header with a packet 
ID (PID) that identifies the type of data contained in the packet. In addition to A/V packets, a 
TS contains system information tables to demultiplex and present programs. A Program Map 
Table (PMT) is a table that provides the mappings between the program numbers and the 
elements that comprise them. It includes a list of PIDs associated with each program. 

The Advanced Television Systems Committee (ATSC) has adopted the Simulcrypt 
architecture for its Conditional Access (CA) system for terrestrial broadcast. In this 
architecture, each service is transmitted with Entitlement Management Messages (EMMs) and 
Entitlement Control Messages (ECMs) for a number of different proprietary systems. This 
way, decoders using different CA systems can decode the service using a common framework 
for signaling the different entitlement messages. EMMs carry private CA information 
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specifying authorization levels or services of specific decoders, whereas ECMs contain 
control words for descrambling authorized services. Each service is comprised of audio and 
video packets. Any one decoder picks out the packets it needs and ignores the others in the 
stream. 

5 In a Simulcrypt based CA system, a digital audio/video processing system, such as a 

Digital Television (DTV), parses the PMT and extracts the service and ECM PIDs using a CA 
system identification (ID) obtained from the CA module. Normally, each CA module 
supports only one CA system, and therefore has only one CA system ID. The PIDs of the 
A/V packets and the PIDs of the ECMs carrying the Control Words (CWs) are sent to the CA 

1 0 module, which descrambles programs having proper purchase entitlements. 

Extended Conditional Access (XCA) is a copy protection system for providing local 
protection of audio and video content during transmission and storage in digital home 
networks. It specifies access and presentation devices to access, convert and display protected 
content. Removable security devices (converter and terminal cards) are recommended for 

15 performing security related functions. In XCA, the descrambling keys are rebundled in an 
ECM which is protected by a unique local key. The decoder that receives content with local 
ECMs therefore may need to handle not only the content protected by its own particular CA 
system, but by XCA as well. 

The National Renewable Security Standard (NRSS) provides a means for renewable 

20 security to be employed with digital consumer electronics devices such as digital television 
receivers and digital VCRs. The security functionality is thus separated from navigational 
devices. When an NRSS security device receives protected content from its host device, it 
descrambles it, and sends it back to the host device. This link may also need to be protected. 
In an ISO/IEC 13818-1 based system, a program may be scrambled in order to provide 

25 a Pay TV service. The transport stream carries the programs, the ECMs and the PMTs. The 
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PMT has an entry for each CA system that protects the program. Each entry contains the 
CA_system_id, the PIDs of the scrambled streams and the PID of the ECMs that contain the 
keys to descramble the program. 

If the receiving device is also a transformation device which can either add an extra 
5 CA system, or replace one (for copy protection, for example, like XCA does), then this device 
needs to output a transport stream where the PMT has an entry for that new CA system. The 
receiving device may acquire each and every PMT that is present in the original transport 
stream, process them, add the entry for the extra CA system and then insert the modified 
PMTs in the output transport bitstream. 

10 The aforementioned process can be very burdensome due in part to the limited 

processing power of receiving devices. Furthermore, processing complexities increase due to 
the fact that PMTs may span more than one transport packet. Thus, adding an entry may 
mean adding a packet, which in turn poses a multiplexing problem, as the bitstream may 
already be full or the time stamps may need to be adjusted. A method which overcomes these 

15 problems is highly desired. 

Summary of Invention 

A method for adding a conditional access system comprises providing at the broadcast 
source a data stream having a portion thereof reserved for insertion of security data associated 

20 with the additional conditional access system. The additional CA system is declared during 
the original transport stream creation at the broadcast source by adding an entry in the PMT. 
This entry defines a unique PID for the ECMs. The PID reserved for the extra CA system 
ECMs is not used in any other way, and the transport stream arriving at the receiver device 
will not contain any packets having the reserved PID. The present invention implements at 

25 the broadcast source sending 'dummy 1 entries for data streams that are not present in the CA 
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protected broadcast, thereby minimizing the PMT processing required for each conversion of 
the service data. A correct PMT is thus output from the receiving device without the need to 
modify/update tables. 

The present invention is embodied in a method of operating a security device in a 
5 conditional access system comprising receiving a datastream having system information data 
including an unused identifier reserved for security data associated with the additional 
conditional access system; and inserting into the data stream the security data associated with 
the additional conditional access system. 

10 Brief Description of the Figures 

Figure 1 illustrates an exemplary embodiment of a network adapted to receive content 
from a broadcasting source and provide copy protection using XCA and NRSS copy 
protection systems. 

Figure 2 illustrates a block diagram of the functional elements and processing flow 
15 associated with adding a conditional access system according to an aspect of the present 
invention. 

Figure 3 illustrates a block diagram of the processing associated with conversion of 
content by a security device for a conditional access system according to an aspect of the 
present invention. 

20 Figure 4 illustrates an exemplary embodiment of a program map table useful in 

carrying out the present invention. 

Detailed Description of the Invention 

Figure 1 illustrates a network 10 that receives content via a a transport stream from a 
25 broadcasting source, i.e. via content source 20, and provides protection with XCA (described 
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herein). The content source 20 can provide content 22 of economic value, whether from tape, 
DVD, cable, satellite or terrestrial broadcast, for example. The content 22 typically includes 
A/V content, which is protected and supplied to subscribers of a private CA network. The 
subscribers who purchase, or are otherwise entitled to receive the content 22, are supplied 
5 with necessary keys for descrambling the content 22. According to the embodiment of Figure 
1, tlie content source 20 caiTprovide this CA content 22 to an access device 30, recording 
device 40 and/or presentation device 50, for example. 

Access device 30 can take the form of a set-top box. The access device 30 operates in 
conjunction with a removable security device such as an XCA/NRSS converter card 35 to 

10 create XCA protected content in CA/XCA content 33 from the CA content 22. Recording 
device 40 can take the form of a Digital VHS (DVHS) or DVD recorder. The recording 
device may or may not be provided with a removable security device such as converter card 
45 analogous to the converter card 35. Presentation device 50 can take the form of a DTV, 
and operate in conjunction with removable security device XCA/NRSS terminal card 55 for 

15 descrambling CA/XCA protected content. 

Figures 2-4 provide schematic illustrations of the processing associated with forming 
the transport stream 22 for input into an audio/video processing device 30 and associated 
security device 35 and subsequent output of the transport stream 33. Note that the present 
invention applies to ISO/IEC 13818-1 compliant data systems, including conditionally 

20 accessed digital TV systems like ATSC, DVB and ARIB (whether, Terrestrial, Satellite, 
Cable SMATV, or MMDS). 

As shown in Figure 2, the broadcast source 20 includes a source of content which is 
encoded via encoder 201 (for example, a PES encoder) and conventional 
multiplexer/scrambler module 204. A radiating source such as antenna 208 communicates the 

25 content to audio/video processing device (e.g. receiver) 30 and corresponding security device 
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35 (see Figs. 1, 3). Program Map Table (PMT) 207 illustrated therein is associated with 
transport stream 22. In PMT 207, there is shown an association 207A of CA_system_id 1 
with corresponding ECM PID 1, and association 207B of CA_system_id 2 with corresponding 
ECM PID 2. In order to add a CA system, an additional CA_system_id is declared at the 
5 broadcast site 20 via an additional table entry 207C into the PMT associating 
extra_CA_system_id with corresponding extra_ECM_PID. The additional PID is preferably a 
previously unused PID reserved for the ECM of the added or extra CA system. That is, the 
PID is not used for transport packets before the bitstream gets transformed at the receiver. 
Note that the transport stream 22 shown in Figure 2 (and Figure 3) does not contain the extra 

10 ECMs. At the receiver 30, the PID for the ECM for the extra CA system is extracted from the 
PMT 207. The receiver then generates the ECMs with that PID and inserts them into the 
datastream to provide output datastream 33. 

Referring more particularly to Figures 3 and 4, there is depicted an exemplary 
processing flow of the datastream or bitstream 22 as it would enter and exit a security device 

15 35 such as an Irdeto/XCA CA module. The CA module converts the content to XCA using 
the entries provided in PMT 207. 

As shown in Fig. 4, table of PID entries 400 includes an entry for the Program 
Association Table (PAT) 230. The PAT 230 is predefined in MPEG to be located on PID 000 
(0x0000) and points to all the PMT PIDs. There is one PMT for each service. PMT 207 

20 includes entries for all the PIDs that make up a given service (in this case video, audio, CA, 
and eventually, CP). 

Two "dummy" entries 120, 121 exist in the PMT 207 as it is sent over the network to 
security device 35 (Fig. 3). The mapping determines how XCA and CMPS should provide 
copy protection. In the example depicted herein, it is understood that the service provider 
25 authorizes XCA and CMPS as copy protection systems. This also provides a mechanism for 
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the interoperation of more than one cooperating CP system The two CP system PIDs 120, 
121 are not used in the network broadcast data stream shown in Fig. 3 (i.e., there are no 
packets sent on these PIDs). When the CA module descrambles the content and converts it to 
a CP system, the CA ECM packets (PID 1 1 1 in Fig. 4) are removed and replaced with the CP 
5 system packets (PID 120) at the same locations in the bitstream, as illustrated in Fig. 3. 

Addition of the dummy entries to the PMT 207 has the following benefits: First, the 
provider can ensure that there are no collisions by abstaining from sending data on the PIDs 
specified for CP ECM data. This way, the CA module does not have to pick a PID and run 
the risk of •colliding 1 with another PID that the broadcaster is using. Second, if the 

10 broadcaster does not want to be program copied, he does not put the CP entries into the PMT. 
If the pirate wants to tape this program, he will have to edit the PMT properly in addition to 
all other requirements for making a recording. Note that the PMT 207 is valid both before 
and after the CA/CP conversion. 

Note also that a recording device such as that depicted in Figure 1 will also not have to 

15 modify any entries in the PMT. (Even in the systems where recording devices need to change 
CP system data flags.) The CP system control flags will be located in the CP ECM PID 
packets and can be modified there. 

The present invention also contemplates the possibility of 'reuse* of the CA system 
PID for the CP system data. However, in a simulcrypt system, this makes it difficult to find 

20 the CP system ECMs. Either the PMT must be changed so that it points to the XCA ECMs 
properly, or a device trying to find the XCA ECMs must know which CA system initially 
descrambled the content. In addition, if the stream is to be ISO/EEC 13818-1 compliant, 
modification of the PMT may also be required. 
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CLAIMS 

1. A method for adding a conditional access system to a digital audio/video transmission 
system that delivers content from a source to a security device associated with an audio/video 
processing device, said method comprising: 

5 providing at said broadcast source a datastream having system information data 

including an unused identifier reserved for security data associated with said additional 
conditional access system. 

2. The method according to claim 1, further comprising said security device providing 
10 said security data using said unused identifier in said data stream. 

3. The method according to claim 1, wherein said security data includes entitlement 
control messages. 

15 4. The method according to claim 1, wherein said providing step further comprises 
inserting at said broadcast source at least one entry into a program map table associating said 
additional conditional access system with a packet identifier, said packet identifier being 
associated with entitlement control messages. 

20 5. A method of operating a security device in a conditional access system comprising: 

receiving a datastream having system information data including an unused identifier 

reserved for security data associated with said additional conditional access system; and 

inserting into said data stream said security data associated with said additional 

conditional access system. 
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6. The method according to claim 5, wherein said additional conditional access system 
comprises a copy protection system. 



7. The method according to claim 5, further comprises parsing a map table associating 
5 said unused identifier with said additional conditional access system to obtain said 

security 'dataTor insertion into said data'streamT 

8. The method according to claim 5, wherein said security device does not update said 
program map table for said additional conditional access system. 

10 

9. A method for creating system information tables for an additional conditional access 
system sent in a datastream from a content source to a security device, said method 
comprising 

providing table entries having an unused identifier reserved for security data 
15 associated with said additional conditional access system. 

10. The method according to claim 9, further comprising inserting at said security device 
security data associated with said identifier. 

20 11. A method for adding a conditional access system to a digital audio/video transmission 
system that delivers content from a source to a security device associated with an audio/video 
processing device, said method comprising: 

providing at said broadcast source a datastream having a portion reserved for 
downstream insertion of security data. 
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